Microsoft fixes 17 flaws in 11 patches; 6 are 'critical'
Most of the patches deemed "critical" affect Microsoft Office, and include Office for Mac.
Microsoft on Tuesday released its February 2008 security bulletin, which includes 11 bulletins, six of which are deemed "critical" by Microsoft, while five are deemed "important." One bulletin, suggested in the advance notice posted Thursday, failed to be released Tuesday. A majority of the "critical" patches affect Microsoft Office, two critical patches include users of Office for Mac 2004, one affects Visual Basic 6.
The "important" patches are mostly Internet services-related. One patch is specific to the Windows Vista update, however, all the Windows Vista-related updates will be included with
Tim Rains, security response communications lead for Microsoft, humorously noted that "Windows Vista SP1 and Windows Server 2008 are not affected by any of today's bulletins." They're not affected because they are not yet available to the public. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Titled "Vulnerability in Active Directory Could Allow Denial of Service (946538)," this bulletin affects users of Microsoft Windows 2000, XP SP2, Server 2003, but does not affect Windows Vista. A vulnerability detailed in CVE-2008-0088 exists in implementations of Active Directory on Microsoft Windows 2000 Server and Windows Server 2003 and Active Directory Application Mode (ADAM). Microsoft says "attacker must have valid log-on credentials to exploit this vulnerability. An attacker who successfully exploited this vulnerability could cause the system to stop responding or automatically restart."
Titled "Vulnerability in Windows TCP/IP Could Allow Denial of Service (946456)," this bulletin only affects users of Windows Vista. The update addresses the vulnerability detailed in CVE-2008-0084 that exists in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. Microsoft says "an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart."
Titled "Vulnerability in Internet Information Services Could Allow Elevation of Privilege (942831)," this bulletin affects users of Microsoft Windows 2000, XP SP2, Server 2003, and Vista. The update addresses the vulnerability detailed in CVE-2008-0074 that exists in Internet Information Services (IIS). Microsoft says "a local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Titled "Vulnerability in Internet Information Services Could Allow Remote Code Execution (942830)," this bulletin affects users of Microsoft Windows XP SP2 and Server 2003, but not Windows 2000 or Vista. The update addresses the vulnerability detailed in CVE-2008-0075 that exists in the way that IIS handles input to ASP Web pages. Microsoft says "An attacker who successfully exploited this vulnerability could then perform actions on the IIS server with the same rights as the Worker Process Identity (WPI). The WPI is configured with Network Service account privileges by default. IIS servers with ASP pages whose application pools are configured with a WPI that uses an account with administrative privileges could be more seriously impacted than IIS servers whose application pool is configured with the default WPI settings."
Titled "Vulnerability in WebDAV Mini-Redirector Could Allow Remote Code Execution (946026)," this bulletin affects users of Microsoft Windows XP SP2, Server 2003, and Vista, but not Windows 2000. This update addresses the vulnerability detailed in CVE-2008-0080 in the WebDAV Mini-Redirector. Microsoft says "an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Titled "Vulnerability in OLE Automation Could Allow Remote Code Execution (947890)," this bulletin affects users of all supported editions of Microsoft Windows 2000, Windows XP, Windows Vista, Microsoft Office 2004 for Mac, and Visual Basic 6. The update addresses the vulnerability detailed in CVE-2007-0065. If exploited, the vulnerability could allow remote code execution through attacks on Object Linking and Embedding (OLE) Automation if a user viewed a specially crafted Web page.
Titled "Vulnerability in Microsoft Word Could Allow Remote Code Execution (947077)," this bulletin affects users of Microsoft Word 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Office 2003 Service Pack 2, Microsoft Office Word Viewer 2003, but does not affect Microsoft Office 2003 Service Pack 3, Microsoft Word Viewer 2003 Service Pack 3, 2007 Microsoft Office System, 2007 Microsoft Office System Service Pack 1, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac. The update addresses the vulnerability detailed in CVE-2008-0109 and could allow remote code execution if a user opens a specially crafted Word file. Microsoft says "An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Titled "Cumulative Security Update for Internet Explorer (944533)," this bulletin affects users of Microsoft Windows 2000, XP SP2, Server 2003, but not Windows Vista. The update addresses the vulnerabilities detailed in CVE-2008-0076, CVE-2008-0077, CVE-2008-0078, and CVE-2007-4790. Microsoft says "the most serious of the vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Titled "Vulnerabilities in Microsoft Works File Converter Could Allow Remote Code Execution (947081)," this bulletin affects users of Microsoft Office 2003 Service Pack 2, Microsoft Office 2003 Service Pack 3, Microsoft Works 8.0, Microsoft Works Suite 2005, but not Microsoft Works 8.5, Microsoft Works 9.0, Microsoft Works Suite 2006, 2007 Microsoft Office System, Microsoft Office 2000, and Microsoft Office XP. The update addresses the vulnerabilities detailed in CVE-2007-0216, CVE-2008-0105, and CVE-CVE-2008-0108 that could allow remote code execution if a user opens a specially crafted Works (.wps) file with an affected version of Microsoft Office, Microsoft Works, or Microsoft Works Suite. Microsoft says "an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Titled "Vulnerabilities in Microsoft Office Publisher Could Allow Remote Code Execution (947085)," this bulletin affects users of Microsoft Publisher 2000, 2002, XP, 2003 SP2, but not Microsoft Publisher 2003 SP3 or 2007. The update addresses the vulnerabilities detailed in CVE-2008-0102 and CVE-2008-0104 that could allow remote code execution if a user opens a specially crafted Publisher file. Microsoft says "an attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Titled "Vulnerability in Microsoft Office Could Allow Remote Code Execution (947108)," this bulletin replaces previous bulletins MS06-047 and MS07-60. This bulletin affects users of Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 2, and Microsoft Office 2004 for Mac, but not Microsoft Office 2003 Service Pack 3, Microsoft Excel Viewer 2003, Microsoft PowerPoint 2003 Viewer, Microsoft Visio 2003 Viewer, Microsoft Word Viewer 2003, 2007 Microsoft Office System, 2007 Microsoft Office System Service Pack 1, Microsoft Office 2008 for Mac. The update addresses the vulnerability detailed in CVE-2008-0103 that could allow remote code execution if a user opens a specially crafted Microsoft Office file with a malformed object inserted into the document. Microsoft says "An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."